VirtualBox 5.2.22 released

[German]Oracle has released an update for the virtualization solution Virtualbox on November 9, 2018. This updates VirtualBox to version 5.2.22. But it’s unclear, whether a 0-day vulnerability in previous builds has been fixed.

Advertising

What’s changed in VirtualBox 5.2.22

The new version 5.2.22 is a maintenance update. According to the changelog the following has been fixed, changed or improved in VirtualBox 5.2.22.

Audio: fixed a regression in the Core Audio backend causing a hang when returning from host sleep when processing input buffers

Audio: fixed a potential crash in the HDA emulation if a stream has no valid mixer sink attached — thanks to Rink Springer (rink@…)

The new version of the virtualization software can be downloaded for Windows, Mac OSX and Linux from this download page. Please note that an updated version of the VirtualBox Oracle VM VirtualBox Extension Pack must also be downloaded and installed. VirtualBox can be used freely, but there are special license terms for the Extension Pack.

Unclear whether 0-day exploit is fixed

On November 8, 2018 I reported a 0-day exploit in Virtualbox up to version 5.2.20 (see my blog post VirtualBox: Exploit for 0-day vulnerability). This allows guests with administrator privileges to break out of the VM via the network adapter and take over the host. I’m not sure if the update to VirtualBox version 5.2.22 fixes this 0-day vulnerability. On Github, this commenter has the same question. Therefore, if someone is still using VirtualBox, I recommend that you continue to use the mitigation solution described in my blog post.

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.